17 Jun Vulnerability in Microsoft Teams granted attackers access to emails, messages, and personal files
Vulnerability in Microsoft Teams granted attackers access to emails, messages, and personal files
A vulnerability in Microsoft Teams could allow a malicious actor to steal sensitive data and access a victim’s communications, researchers have warned
A vulnerability in Microsoft Teams could allow a malicious actor to steal sensitive data and access a victim’s communications, researchers have warned.
The bug, which has now been patched, allowed an attacker to steal a victim’s emails, Teams messages, and OneDrive files, as well as send emails and messages on their behalf.
It was discovered by Evan Grant, staff research engineer at Tenable, who detailed the security issue in a blog post released today (June 15).
Attack surface
The attack relies on a vulnerability in the Microsoft Power Apps tab. Microsoft Teams has a default feature that allows a user to launch small applications (or applets) as a tab in any team they are part of.
If that user is part of an Office 365/Teams organization with a Business Basic license or above, they also have access to a set of Teams tabs which consist of Microsoft Power Apps applications, the blog post explains.
In an unpatched version of Teams, an actor could set up a malicious tab which, when opened by the victim, would allow them access to their private documents and communications.
“Furthermore, the attacker could disguise themselves as the victim and send emails and messages on their behalf, potentially allowing them to conduct further social engineering attacks within the organization,” added Grant.
“Despite the simplicity of the bug, the attack itself is fairly complicated and requires a working knowledge of the Microsoft Power Apps and Power Automation features.”
Limitations
However, Grant pointed out, the malicious actor would have to be a member of the Microsoft Teams organization that they are attacking, meaning it would only work in the context of an insider threat attack.
More technical details about the bug and a proof of concept can be found in the blog post.
Microsoft Teams users are urged to update to the latest version of the software to protect against the vulnerabilit
Slick document management with SharePoint and 365
Our experienced and knowledgeable team of experts will help your business to embrace the technology that has the power to revolutionise your workplace, ensuring you flourish in the digital age. Slick document management will enable your team to move into a prosperous future of growth and productivity with technology as a powerful ally. Contact us now and find out how we can help you transform your digital landscape into one that aligns with not only your vision for the future but also the future of computing all over the globe.
Contact us now to find out how we can help you!
Source: https://portswigger.net
